CIVL4170 Week4: Risk Analysis - Identify, Assess and Treat Risks (Part 2)

Lecture Overview

• Steps in Risk Management (ISO31000 Framework):
  • Step 1: Establish the Context
  • Step 2: Risk Identification
  • Step 3: Risk Analysis
  • Step 4: Risk Evaluation
  • Step 5: Risk Treatment

Example Risk Assessment: Filling a Road Tanker at a Tanker Depot

• Depot Operations:
  • Receives petrol and diesel from a local refinery via underground pipeline.
  • Pumps fuel from underground tanks into road tankers.
  • Site has an office building and 20 workers.
  • Four truck loading bays allow simultaneous loading of 4 trucks.
  • Spill kits located at each loading bay.
  • Mobile plant operating on-site.
  • Equipped with operators, manual emergency stop button, overflow bunds, and emergency clean up equipment.

Product Information:

• Unleaded Petrol:
  • Solubility in Water: Nil
  • Specific Gravity: 0.73-0.75
  • Relative Vapour Density (air = 1): 3.5
  • Vapour Pressure: 67kPa at 37.8^{\circ}C
  • Flash Point: -40^{\circ}C
  • Flammability Limits: 1.4 - 7.4 \%
• Diesel:
  • Solubility in Water: Nil
  • Specific Gravity: 0.82-0.85
  • Relative Vapour Density (air = 1): >1
  • Vapour Pressure: <0.1 kPa at 20^{\circ}C
  • Flash Point: >61.5^{\circ}C

Project Scope

• In Scope
  • People: Operators, maintenance teams, tanker drivers, and those potentially impacted by vapour/liquid losses (on and off-site).
  • Locations: Tank farm (Brisbane, Australia), plant tank bund areas, gas dispersion and blast zones, control room.
  • Equipment: Tanks, piping, valves, instruments, control systems, bunds, road tankers.
  • Activities: Filling, emptying, maintaining tanks, on-site driving, connecting tankers.
  • Timeframes: Continuous (24/7, 365 days/year), including shift handover; typical tanker filling time of approximately 1 hour.
  • Environmental: Brisbane climatic conditions (cyclones, heavy rain, strong winds, lightning, floods).
  • Scenarios: Loss of containment of liquid (fire/explosion), sabotage.
  • Other Assumptions: Road tankers roadworthy, personnel communicate in English, only petrol and diesel pumped.
• Out of Scope
  • Unauthorized persons/trespassers.
  • Ship personnel.
  • Areas outside bund and gas dispersion/blast zones.
  • Equipment used for tank maintenance/cleaning.
  • Activities carried out on tank when out-of-service.
  • Process of loading tanks from ships.
  • Potential major upgrades or decommissioning.
  • Extreme cold/snow/icing events, bushfires, earthquakes, tsunamis.
  • Minor injury or asset damage only scenarios.

Step 2: Risk Identification - HAZID

• Hazard: Potential source of harm (energy source).
• Description of Hazard: Detailed information about the hazard.
• Description of Unwanted Event Scenario: Describes the "loss of control/containment/awareness" (the "knot" or "top event").
• Description of Causes: Details about threats that could release the hazard.
• Description of the Consequence: Outcome or impact of the unwanted event.

Risk Identification Examples

• Mechanical (Moving Vehicles):
  • Hazard: Large road tankers maneuvering on-site.
  • Unwanted Event: Uncontrolled contact between vehicle and operator.
  • Causes: Driver error, illness, poor visibility, poor directions.
  • Consequence: Operator/worker hit by vehicle resulting in severe injury/fatality.
• Mechanical (Moving Vehicles):
  • Hazard: Large road tankers maneuvering on-site.
  • Unwanted Event: Uncontrolled contact between vehicle and pipework/storage tanks.
  • Causes: Driver error, illness, poor visibility, poor directions.
  • Consequence: Major loss of containment of fuel.
• Mechanical (Moving Vehicles):
  • Hazard: Mobile road tankers connected to fixed plant during filling.
  • Unwanted Event: Uncontrolled movement of vehicle during filling, disconnecting pipes.
  • Causes: Handbrake not applied/faulty, driver error.
  • Consequence: Major loss of containment of fuel.
• Chemical (Flammable/Explosive):
  • Hazard: Petrol.
  • Unwanted Event: Overfilling tanker.
  • Causes: Inlet valve failure, outlet valve failure, blocked outlet pipe, faulty level sensors.
  • Consequence: Major loss of containment.
• Chemical (Flammable/Explosive):
  • Hazard: Petrol.
  • Unwanted Event: Leak in feed line/tank/outlet piping.
  • Causes: Corrosion, cracking, external damage, loosened flange.
  • Consequence: Major loss of containment.
• Pressure (External Fire/Extreme Temperatures):
  • Hazard: External fire or extreme temperatures.
  • Unwanted Event: Overpressurizing tank.
  • Causes: Excessive external heat, failed pressure relief/vent equipment.
  • Consequence: Vapour releases leading to vapour cloud explosion causing multiple fatalities/injuries and severe equipment/environmental damage.
• Electrical (Static Electricity):
  • Hazard: Static electricity.
  • Unwanted Event: Uncontrolled build-up of static electricity contacts petrol vapour.
  • Causes: Incorrect material selection/grounding.
  • Consequence: Static electricity ignites fuel vapour in tanker, causing explosion.
• Environmental (Lightning Strikes):
  • Hazard: Lightning Strikes.
  • Unwanted Event: Ignition of vapour during filling.
  • Causes: Lightning strike on filling facility.
  • Consequence: Explosion in tank farm, destroying tank, causing potential multiple fatalities/injuries and severe equipment/environmental damage.
• Gravity (Falling Objects):
  • Hazard: Falling objects.
  • Unwanted Event: Overhead piping, fittings falling.
  • Causes: Corrosion, wear and tear, damage, incorrect fitment.
  • Consequence: Person injured when struck by falling objects.
• Human Capability (Errors):
  • Hazard: Mixing of incompatible liquids.
  • Unwanted Event: Petrol pumped into diesel tanker.
  • Causes: Connection error, misidentification of liquid/tank.
  • Consequence: Contaminated inventory sold to customers causing vehicle damage.
• Liquid Spills into Bund:
  * Liquid Spills into bund and
  * ignites causing a pool fire or,
  * vaporises to form a vapour cloud that explodes causing multiple fatalities/serious injuries, equipment damage and onsite environmental damage

Clarification on Preventative vs. Mitigating Controls

• A failed preventative (arresting) control CAN be a cause of an unwanted event.
• A mitigating control CANNOT be a cause.
• A mitigating control mitigates the consequence AFTER the unwanted event and has no impact on the occurrence of the unwanted event.

Examples of Hazards and Unwanted Events

• Hazard description:
  * Electrical equipment (good, but not 100% perfect)
  * Use of equipment requiring 240V electricity
  * Electrical energy (ok but broad)
• Unwanted event:
  * Arc flash from electrical equipment or pump in confined space. (good, but could also argue this is a consequence)
  * Unwanted release of electrical energy
  * Uncontrolled flow of electrical energy
• Multiple unwanted events are possible related to the use of equipment requiring 240V.

Step 3: Risk Analysis

• Determining impact and estimating likelihood give an overall risk ranking.

Risk Ranking Matrix

• A matrix is used to determine the risk rating based on likelihood and impact.
• Likelihood is categorized: Rare, Unlikely, Moderate, Likely, Almost Certain.
• Impact is categorized considering: Reputation, OH&S (Occupational Health & Safety), Asset Damage, Environment, Legal.
• Impact Level examples:
  • Catastrophic
    *Fatalities
    *> $50 m
  • Major
    *Permanent, serious disability
    *$10m - $50 m
• Risk Rating Levels:
  • High (15-50)
  • Significant (10-14)
  • Medium (4-9)
  • Low (1-3)
• Risk Acceptability:
  • Unacceptable: Operations do not continue until risk is reduced.
  • ALARP (As Low As Reasonably Practicable) Band 1: Action as a high priority to reduce risk.
  • ALARP Band 2: Action to reduce risk where possible.
  • Generally Acceptable: Manage with regular monitoring and review.
• Risk matrix values as shown below:
  * Reputation/Impact
  * Almost Certain: A = 50
  * Likely: B = 25
  * Moderate: C = 20
  * Unlikely: D = 5
  * Rare: E = 2
• OH&S
  * Almost Certain: 25
  * Likely: 20
  * Moderate: 10
  * Unlikely: 5
  * Rare: 2
• Asset damage
  * Almost Certain: 50
  * Likely: 25
  * Moderate: 20
  * Unlikely: 10
  * Rare: 5
• Environment
  * Almost Certain: 50
  * Likely: 25
  * Moderate: 20
  * Unlikely: 10
  * Rare: 5
• Legal
  * Almost Certain: 50
  * Likely: 25
  * Moderate: 20
  * Unlikely: 10
  * Rare: 3

Risk Analysis Example

• The slide provides a table that demonstrates the use of risk ranking. For each risk the impact on people, assets, environment, and reputation is ranked. Then the likelihood of the risk and the over risk rank are estimated.

Step 4: Risk Evaluation

• Evaluate risks based on the risk ranking and matrix to determine if additional risk assessment tools (LOPA, Bowtie) are needed.
• Determine what controls are required to effectively manage the risk.
• Determine required monitoring and review to ensure risks and risk controls are effectively managed.

Risk Evaluation Example

• The slide includes a table that builds on the previous slide by providing risk evaluation (refer to guidance at bottom of risk matrix), and comments on recommended risk treatment options.

Step 5: Risk Treatment

• Determine the level of risk treatment required and how the risks will be addressed.
• Consider inherently safer design options first.
• Controls must actually control the risk (measuring alone is not a control).

Inherently Safe Design (ISD)

• Involves challenging design assumptions by asking:
  • Why are we doing this?
  • Do we really have to perform this activity? If so, in this way?
  • What is the aim?
  • Can we eliminate, minimise, or substitute the hazardous material/activity?
  • Can we moderate or simplify the process to reduce severity and improve detection/management of deviations?

Hierarchy of Controls

• A diagram presenting the hierarchy of controls for managing risks, adapted from the Centers for Disease Control and Prevention, US Dept of Health and Human Services is presented.

Control Options

• Layers of Protection/Defense in Depth aim to stay within safe operating/working conditions.
• Automated control systems respond to unsafe situations (independent from worker).
• Activated to mitigate the consequences of unwanted event scenarios.
• Fast response of trained/skilled people to mitigate accident consequences (e.g. firefighting, first aid).
• External public emergency personnel.

Bowtie Analysis

• Defense-in-Depth can be derived from bowtie analyses.

What is a Control?

• A control is an object and/or human action that will arrest or mitigate an unwanted event sequence.
• Sensors are NOT complete controls.
• Training is NOT a control.
• Alarms are NOT complete controls.
• Signage is NOT a control.
• A sensor, combined with an alarm AND an automated action OR an operator action IS a control.

Traffic Lights as Controls

• A traffic light is NOT a complete control.
• A traffic light combined with an operator response (driver stopping at a red light) IS a control.

Boom Gate as a Control

• A boom gate at a rail crossing IS a control because:
  • There is a measurement (oncoming trains).
  • There is a decision (to halt road traffic).
  • There is an action (lowering a physical barrier).